Update to Email Privacy Law Must Go Further

Proposals to update the email privacy law, the Electronic Communications Privacy Act (ECPA), are moving quickly in Congress. ECPA is in dire need of an update as it was written in the mid-1980s long before the advent of ubiquitous webmail and cloud storage. In the past, ECPA was used by the Department of Justice (DOJ) to obtain emails and other private online messages older than 180 days without a probable cause warrant. If law enforcement sought those same messages in the physical world, a warrant would be required. This difference is not only wrong, but also inconsistent with the Fourth Amendment. Senators Patrick Leahy and Mike Lee plan to fix this.

Last month, S. 607, a bill sponsored by Senators Leahy and Lee, passed out of the Senate Judiciary Committee. The bill requires that law enforcement obtain a warrant if it wants any private online messages, like private Facebook messages or Twitter direct messages. The Digital Due Process coalition, a diverse coalition of privacy advocates (including EFF) and major companies, has worked hard to advance ECPA reform and should be commended for its work. But because many agencies and companies already require a warrant for allprivate online messages, more could be done to bolster the law.

The bill should go beyond the status quo. Missing in the bill is a suppression remedy. In the current draft, if law enforcement obtained your email without a warrant, in violation of the revised law, nothing would prevent that illegally obtained evidence from being admitted in a criminal trial. A suppression remedy is a common sense addition to the bill ensuring that its impact is equal to its intent: ensuring all private virtual messages—just like any other private physical message—are available to the government only with a warrant based on probable cause.

In United States v. Warshak (2010), the Sixth circuit ruled that the 180-day rule, as written, was unconstitutional. At a hearing last month, the DOJ Office of Legal Policy finally admitted that emails older than 180 days should logically be protected by a warrant. That statement suggests that that the DOJ will be seeking warrants for all private online messages going forward.

But even before DOJ's admission, many companies already required a warrant before they allow law enforcement access to a user's private messages. In The Hill, Google, Microsoft, and Yahoo—the three largest webmail providers—said they require the government obtain a search warrant before accessing private content. In addition, Facebook and Twitter also require a warrant for private messages. Our Who Has Your Back campaign lists even more companies.

Senators Leahy and Lee provided a good start for ECPA reform. Likewise, the DDP coalition has done tremendous work to move the bill forward. But ECPA reform must do more than codify the status quo. At the minimum, any bill passed by Congress should have a suppression remedy.

Related Updates

Today Google launched a new version of its Chrome browser with what they call an "ad filter"—which means that it sometimes blocks ads but is not an "ad blocker." EFF welcomes the elimination of the worst ad formats. But Google's approach here is a band-aid response to the crisis of...

The U.S. Department of Homeland Security (DHS), Customs and Border Protection (CBP) Privacy Office, and Office of Field Operations recently invited privacy stakeholders—including EFF and the ACLU of Northern California—to participate in a briefing and update on how the CBP is implementing its Biometric Entry/Exit Program. As we’ve written ...

San Francisco, California—Face recognition—fast becoming law enforcement’s surveillance tool of choice—is being implemented with little oversight or privacy protections, leading to faulty systems that will disproportionately impact people of color and may implicate innocent people for crimes they didn’t commit, says an Electronic Frontier Foundation (EFF) ...

It should not be surprising that arguably the biggest mistake in Internet policy history is going to invoke a vast political response. Since the FCC repealed federal Open Internet Order in December, many states have attempted to fill the void. With a new bill that reinstates net neutrality protections, Oregon...

Last month, Congress reauthorized Section 702, the controversial law the NSA uses to conduct some of its most invasive electronic surveillance. With Section 702 set to expire, Congress had a golden opportunity to fix the worst flaws in the NSA’s surveillance programs and protect Americans’ Fourth Amendment rights...

President Donald Trump’s first State of the Union address last night was remarkable for two reasons: for what he said, and for what he didn’t say. The president took enormous pride last night in claiming to have helped “extinguish ISIS from the face of the Earth.” But he failed to...

State agencies in California are collecting and using more data now than they ever, and much of this data includes very personal information about California residents. This presents a challenge for agencies and the courts—how to make government-held data that’s indisputably of...

It’s Spain's turn to take a closer look at the practices of their local Internet companies, and how they treat their customers’ personal data. Spain's ¿Quien Defiende Tus Datos? (Who Defends Your Data?) is a project of ETICAS Foundation, and is part of a region-wide initiative by leading...

It’s Spain's turn to take a closer look at the practices of their local Internet companies, and how they treat their customers’ personal data. Spain's ¿Quien Defiende Tus Datos? (Who Defends Your Data?) is a project of ETICAS Foundation, and is part of a region-wide initiative by leading...